A new critical vulnerability, identified as CVE-2022-43397, has been discovered in the Parasolid geometric modeling kernel, affecting multiple versions of the library. This vulnerability could potentially allow an attacker to execute arbitrary code within the context of the current process when parsing maliciously crafted X_T files.
Parasolid V35. (All versions < V35..170)
The vulnerability was assigned the Zero Day Initiative (ZDI) identifier ZDI-CAN-17854.
Vulnerability Details
The CVE-2022-43397 vulnerability is caused due to an out-of-bounds write error that occurs past the end of an allocated buffer during the parsing of specially crafted X_T files. This issue can be leveraged by an attacker to execute arbitrary code within the context of the current process. Here is a code snippet illustrating the problematic behavior:
void parse_XT_file(char *file_data, size_t file_size) {
// ...
// Allocate buffer based on file_size
char *buffer = malloc(file_size * 2);
if (buffer == NULL) {
return;
}
// ...
// Read data from the file and copy it to the buffer
while (file_data != NULL) {
// ... (index is incremented somewhere in here)
// This bounds check is insufficient as it allows data
// to be written past the end of the buffer
if (index < file_size) {
buffer[index] = file_data[index];
// ...
}
}
// ...
}
Exploitation and Impact
An attacker exploiting this vulnerability could effectively create a malicious X_T file that contains specially crafted data meant to trigger the out-of-bounds write. When a vulnerable application utilizing the Parasolid library parses this file, it is possible for the attacker to execute arbitrary code within the affected process's context.
The impact of this vulnerability could be potentially severe, as it could allow an attacker to compromise the integrity, confidentiality, and availability of information or potentially take control of the affected system. As such, immediate steps must be taken by users of the affected Parasolid library to mitigate this issue.
Mitigation and Vendor Response
To address the CVE-2022-43397 vulnerability, users of the affected Parasolid library versions should immediately update to the latest patched versions as outlined below:
Parasolid V35. - Update to V35..170
In addition, users should exercise caution when opening X_T files from untrusted sources and ensure that their applications perform appropriate input validation as a measure to prevent exploitation.
References
- ZDI-CAN-17854
- Parasolid Library
- CVE-2022-43397
This post has exclusively detailed the CVE-2022-43397 vulnerability in the Parasolid geometric modeling kernel library, its impact on users, and various mitigation measures that can be applied to reduce the susceptibility to exploitation. It is crucial for affected users to take immediate action to remediate this vulnerability and protect their systems from potential cyber-attacks based on this exploit.
Timeline
Published on: 11/08/2022 11:15:00 UTC
Last modified on: 11/08/2022 16:27:00 UTC